Overview

While trying to open a specific website, the site cannot be reached with ERR_HTTP2_PROTOCOL_ERROR shown in the Chrome browser.

The site couldn't be loaded despite having a valid SSL certificate or changing Kerio Control Filtering settings.

This article provides details on potential reasons for website inaccessibility and how to work around them.

Information

Kerio Control may refuse the HTTP connection because of 3 different variables (located in /opt/kerio/winroute/winroute.cfg), that are responsible for Protocol handling.

• DisabledProtocols - SSL/TLS protocols that should be disabled. Defaults are SSLv2, SSLv3
• HttpProxyAllowProtocolSwitch - Bool value (default = 1) for allowing HTTP/HTTPS protocols change
• ReverseProxyProtocolSwap - Bool value (default = 1) for allowing Protocols swap for Reverse Proxy

For more information about configuration change, please refer to Modifying parameters in Kerio Control.

The common reasons for such an error are:

1. Country/IP-based restrictions implemented on the website itself or Kerio Control > Security settings > GeoIP Filter.
2. Website non-optimal development or security measurements.
3. Government restrictions for certain locations.
4. Kerio Control Intrusion Prevention System (IPS) block.
5. Kerio Control Application Awareness and Content Filtering restrictions.

For troubleshooting purposes, it's recommended to enable "Packets dropped for some reason" and "Connection tracking" in Debug logs and review Filter and Security logs to determine which UTM functionality is dropping the connection.

Once it's done, disable the necessary feature or configure the appropriate exception/whitelist item:

Configuring Ignored Intrusions (IPS)

Legit website is being blocked by Web Filter